doorkeeper 5.0.3 → 5.1.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 897eb14bd6b334b3b9f69f5cd54bfe524baddc09b3f96159f29a3c0b32b89d9b
-  data.tar.gz: b7bdd3e4d3cef46cb68fca0ac0bc854b5fa28c170c70a244b331b223d035d16f
+  metadata.gz: 5773ab2b97881fdf1bb6fa66a4e176299d58c536f354ea9e9f4f7bb6dc0dcdea
+  data.tar.gz: 69ac6937d7eb7786a8c9ac331f540ef5aa1321b7c0624a0778c7437151764569
 SHA512:
-  metadata.gz: ff4eb6145d1a432a2cb31055ccf4fcbbaa0d91f3cb8c59ad061ede4d25b6ca345e1b5404c7180816524b5e0c650e359189d42790be61d025eeb940781accac52
-  data.tar.gz: 30463a001c175d07cecda2f760ed669c5c460c6fd0e3ed802b9988c8ca3b15e80fd335022f61b9cec9954d7906c53e160a3462df8988f9f0a756dff2a7452cb1
+  metadata.gz: 5e4b8470847ab8e642d50d27972838c0b5181b3c97c4a25afca18861b3878e513346f7b72d5c5d6c31b5d8513d90c1e6426e0cfcfce51a06b1e04e563ae09ab0
+  data.tar.gz: 79c4363faf9a3f41bc639ee6e6ec756efbd99a96e4670e788bc4201b6f69eb992ffc95f2f56e3efbcd5645f2ed76e2c8d29f6e9807ffb6841becd31d868c6963

data/.travis.yml

@@ -1,5 +1,5 @@
-cache: bundler
 language: ruby
+cache: bundler
 sudo: false
 
 rvm:
@@ -8,10 +8,12 @@ rvm:
   - 2.3
   - 2.4
   - 2.5
-  - ruby-2.6.0-preview1
+  - 2.6
+  - ruby-head
 
 before_install:
-  - gem update --system # Need for Ruby 2.5.0. https://github.com/travis-ci/travis-ci/issues/8978
+  - "find /home/travis/.rvm/rubies -wholename '*default/bundler-*.gemspec' -delete"
+  - rvm @global do gem uninstall bundler -a -x -I || true
   - gem install bundler -v '~> 1.10'
 
 gemfile:
@@ -41,5 +43,7 @@ matrix:
       rvm: 2.2
     - gemfile: gemfiles/rails_master.gemfile
       rvm: 2.3
+    - gemfile: gemfiles/rails_master.gemfile
+      rvm: 2.4
   allow_failures:
     - gemfile: gemfiles/rails_master.gemfile

data/Dangerfile

@@ -17,7 +17,7 @@ end
 # --------------------------------------------------------------------------------------------------------------------
 # Has any changes happened inside the actual library code?
 # --------------------------------------------------------------------------------------------------------------------
-has_app_changes = !git.modified_files.grep(/lib/).empty?
+has_app_changes = !git.modified_files.grep(/lib|app/).empty?
 has_spec_changes = !git.modified_files.grep(/spec/).empty?
 
 # --------------------------------------------------------------------------------------------------------------------
@@ -52,7 +52,10 @@ Here's an example of a #{CHANGELOG_FILE} entry:
 ```
   MARKDOWN
 
-  fail("Please include a changelog entry. \nYou can find it at [#{CHANGELOG_FILE}](#{GITHUB_REPO}/blob/master/#{CHANGELOG_FILE}).")
+  warn(
+    "Please include a changelog entry. \nYou can find it at [#{CHANGELOG_FILE}](#{GITHUB_REPO}/blob/master/#{CHANGELOG_FILE})." +
+      "You can skip this warning only if you made some typo fix or other small changes that didn't affect the API."
+  )
 end
 
 if git.commits.any? { |commit| commit.message =~ /^Merge branch '#{github.branch_for_base}'/ }

data/Gemfile

@@ -1,9 +1,11 @@
 source "https://rubygems.org"
 
-gem "rails", "~> 5.2"
+gem "rails", ">= 5.2.1.1", "< 6.0"
 
 gem "appraisal"
 
+gem "bcrypt", "~> 3.1"
+
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", platform: [:ruby, :mswin, :mingw, :x64_mingw]
 gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw]

data/NEWS.md

@@ -5,10 +5,17 @@ upgrade guides.
 
 User-visible changes worth mentioning.
 
-## 5.0.3
-
-[#1371] Backport: Add #as_json method and attributes serialization restriction for Application model.
-        Fixes information disclosure vulnerability (CVE-2020-10187).
+## master
+
+- [#1188]  Use `params` instead of `request.POST` in tokens controller (fixes #1183).
+- [#1179] Authorization Code Grant Flow without client id returns invalid_client error.
+- [#1182] Fix loopback IP redirect URIs to conform with RFC8252, p. 7.3 (fixes #1170).
+- [#1177] Allow to limit `scopes` for certain `grant_types`
+- [#1162] Fix `enforce_content_type` for requests without body.
+- [#1164] Fix error when `root_path` is not defined.
+- [#1175] Internal refactor: use `scopes_string` inside `scopes`.
+- [#1176] Fix test factory support for `factory_bot_rails`
+- [#1168]: Allow optional hashing of tokens and secrets.
 
 ## 5.0.2
 
@@ -59,12 +66,12 @@ User-visible changes worth mentioning.
   `Doorkeeper#installed?` method
 - [#1031] Allow public clients to authenticate without `client_secret`. Define an app as
   either public or private/confidential
-  
+
   **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
     You need to manually change `confidential` column to `false` if you are using public clients,
     in other case your mobile (or other) applications will not be able to authorize.
     See [#1142](https://github.com/doorkeeper-gem/doorkeeper/issues/1142) for more details.
-  
+
 - [#1010] Add configuration to enforce configured scopes (`default_scopes` and
   `optional_scopes`) for applications
 - [#1060] Ensure that the native redirect_uri parameter matches with redirect_uri of the client
@@ -82,26 +89,26 @@ User-visible changes worth mentioning.
 - [#1076] Add config to enforce content type to application/x-www-form-urlencoded
 - Fix bug with `force_ssl_in_redirect_uri` when it breaks existing applications with an
   SSL redirect_uri.
-  
+
 ## 4.4.3
-  
+
 - [#1143] Adds a config option `opt_out_native_route_change` to opt out of the breaking api
   changed introduced in https://github.com/doorkeeper-gem/doorkeeper/pull/1003
 
-  
+
 ## 4.4.2
 
 - [#1130] Backport fix for native redirect_uri from 5.x.
-  
+
 ## 4.4.1
 
 - [#1127] Backport token type to comply with the RFC6750 specification.
 - [#1125] Backport Quote surround I18n yes/no keys
-  
+
 ## 4.4.0
-  
+
 - [#1120] Backport security fix from 5.x for token revocation when using public clients
-  
+
   **[IMPORTANT]**: all the applications (clients) now are considered as private by default.
   You need to manually change `confidential` column to `false` if you are using public clients,
   in other case your mobile (or other) applications will not be able to authorize.

data/README.md

@@ -117,7 +117,7 @@ migration:
 [PKCE flow]: https://tools.ietf.org/html/rfc7636
 
 ```sh
-    rails generate doorkeeper:pkce
+rails generate doorkeeper:pkce
 ```
 
 Then run migrations:

data/app/controllers/doorkeeper/applications_controller.rb

@@ -19,7 +19,7 @@ module Doorkeeper
     def show
       respond_to do |format|
         format.html
-        format.json { render json: @application, as_owner: true }
+        format.json { render json: @application }
       end
     end
 
@@ -35,7 +35,7 @@ module Doorkeeper
 
         respond_to do |format|
           format.html { redirect_to oauth_application_url(@application) }
-          format.json { render json: @application, as_owner: true }
+          format.json { render json: @application }
         end
       else
         respond_to do |format|
@@ -53,7 +53,7 @@ module Doorkeeper
 
         respond_to do |format|
           format.html { redirect_to oauth_application_url(@application) }
-          format.json { render json: @application, as_owner: true }
+          format.json { render json: @application }
         end
       else
         respond_to do |format|

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -9,7 +9,7 @@ module Doorkeeper
 
       respond_to do |format|
         format.html
-        format.json { render json: @applications, current_resource_owner: current_resource_owner }
+        format.json { render json: @applications }
       end
     end
 

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -4,11 +4,11 @@ module Doorkeeper
   class TokensController < Doorkeeper::ApplicationMetalController
     def create
       response = authorize_response
-      headers.merge! response.headers
+      headers.merge!(response.headers)
       self.response_body = response.body.to_json
       self.status = response.status
-    rescue Errors::DoorkeeperError => e
-      handle_token_exception e
+    rescue Errors::DoorkeeperError => error
+      handle_token_exception(error)
     end
 
     # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
@@ -75,12 +75,12 @@ module Doorkeeper
     end
 
     def token
-      @token ||= AccessToken.by_token(request.POST['token']) ||
-        AccessToken.by_refresh_token(request.POST['token'])
+      @token ||= AccessToken.by_token(params['token']) ||
+        AccessToken.by_refresh_token(params['token'])
     end
 
     def strategy
-      @strategy ||= server.token_request params[:grant_type]
+      @strategy ||= server.token_request(params[:grant_type])
     end
 
     def authorize_response

data/app/views/doorkeeper/applications/show.html.erb

@@ -8,7 +8,7 @@
     <p><code class="bg-light" id="application_id"><%= @application.uid %></code></p>
 
     <h4><%= t('.secret') %>:</h4>
-    <p><code class="bg-light" id="secret"><%= @application.secret %></code></p>
+    <p><code class="bg-light" id="secret"><%= @application.plaintext_secret %></code></p>
 
     <h4><%= t('.scopes') %>:</h4>
     <p><code class="bg-light" id="scopes"><%= @application.scopes.presence || raw('&nbsp;') %></code></p>

data/app/views/layouts/doorkeeper/admin.html.erb

@@ -17,9 +17,11 @@
       <li class="nav-item <%= 'active' if request.path == oauth_applications_path %>">
         <%= link_to t('doorkeeper.layouts.admin.nav.applications'), oauth_applications_path, class: 'nav-link' %>
       </li>
-      <li class="nav-item">
-        <%= link_to t('doorkeeper.layouts.admin.nav.home'), root_path, class: 'nav-link' %>
-      </li>
+      <% if respond_to?(:root_path) %>
+        <li class="nav-item">
+          <%= link_to t('doorkeeper.layouts.admin.nav.home'), root_path, class: 'nav-link' %>
+        </li>
+      <% end %>
     </ul>
   </div>
 </nav>

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'rails/all'
+require 'doorkeeper'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/gemfiles/rails_4_2.gemfile

@@ -3,6 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "~> 4.2.0"
+gem "bcrypt", "~> 3.1"
 gem "appraisal"
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", platform: [:ruby, :mswin, :mingw, :x64_mingw]

data/gemfiles/rails_5_0.gemfile

@@ -3,6 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "~> 5.0.0"
+gem "bcrypt", "~> 3.1"
 gem "appraisal"
 gem "activerecord-jdbcsqlite3-adapter", platforms: :jruby
 gem "sqlite3", platforms: [:ruby, :mswin, :mingw, :x64_mingw]

data/gemfiles/rails_5_1.gemfile

@@ -3,6 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "~> 5.1.0"
+gem "bcrypt", "~> 3.1"
 gem "appraisal"
 gem "activerecord-jdbcsqlite3-adapter", platforms: :jruby
 gem "sqlite3", platforms: [:ruby, :mswin, :mingw, :x64_mingw]

data/gemfiles/rails_5_2.gemfile

@@ -2,7 +2,8 @@
 
 source "https://rubygems.org"
 
-gem "rails", "5.2.0"
+gem "rails", "~> 5.2.0"
+gem "bcrypt", "~> 3.1"
 gem "appraisal"
 gem "activerecord-jdbcsqlite3-adapter", platforms: :jruby
 gem "sqlite3", platforms: [:ruby, :mswin, :mingw, :x64_mingw]

data/gemfiles/rails_master.gemfile

@@ -6,6 +6,7 @@ gem "rails", git: 'https://github.com/rails/rails'
 gem "arel", git: 'https://github.com/rails/arel'
 
 gem "appraisal"
+gem "bcrypt", "~> 3.1"
 gem "activerecord-jdbcsqlite3-adapter", platform: :jruby
 gem "sqlite3", platform: [:ruby, :mswin, :mingw, :x64_mingw]
 gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw]

data/lib/doorkeeper.rb

@@ -56,6 +56,7 @@ require 'doorkeeper/models/concerns/scopes'
 require 'doorkeeper/models/concerns/expirable'
 require 'doorkeeper/models/concerns/revocable'
 require 'doorkeeper/models/concerns/accessible'
+require 'doorkeeper/models/concerns/hashable'
 
 require 'doorkeeper/models/access_grant_mixin'
 require 'doorkeeper/models/access_token_mixin'

data/lib/doorkeeper/config.rb

@@ -46,6 +46,7 @@ module Doorkeeper
       end
 
       def build
+        @config.validate
         @config
       end
 
@@ -83,6 +84,13 @@ module Doorkeeper
         @config.instance_variable_set(:@optional_scopes, OAuth::Scopes.from_array(scopes))
       end
 
+      # Define scopes_by_grant_type to limit certain scope to certain grant_type
+      # @param { Hash } with grant_types as keys.
+      # Default set to {} i.e. no limitation on scopes usage
+      def scopes_by_grant_type(hash = {})
+        @config.instance_variable_set(:@scopes_by_grant_type, hash)
+      end
+
       # Change the way client credentials are retrieved from the request object.
       # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
       # falls back to the `:client_id` and `:client_secret` params from the
@@ -136,6 +144,24 @@ module Doorkeeper
       def enforce_content_type
         @config.instance_variable_set(:@enforce_content_type, true)
       end
+
+      # Allow optional hashing of input tokens before persisting them.
+      # Will be used for hashing of input token and grants.
+      def hash_token_secrets
+        @config.instance_variable_set(:@hash_token_secrets, true)
+      end
+
+      # Allow optional hashing of application secrets before persisting them.
+      # Will be used for hashing of input token and grants.
+      def hash_application_secrets
+        @config.instance_variable_set(:@hash_application_secrets, true)
+      end
+
+      # Allow plain value lookup when using +hash_token_secrets+
+      # or +hash_application_secrets+ to avoid disrupting application experience
+      def fallback_to_plain_secrets
+        @config.instance_variable_set(:@fallback_to_plain_secrets, true)
+      end
     end
 
     module Option
@@ -286,9 +312,14 @@ module Doorkeeper
     option :base_controller,
            default: 'ActionController::Base'
 
-    attr_reader :reuse_access_token
-    attr_reader :api_only
-    attr_reader :enforce_content_type
+    attr_reader :api_only,
+                :enforce_content_type,
+                :reuse_access_token
+
+    # Return the valid subset of this configuration
+    def validate
+      validate_reuse_access_token_value
+    end
 
     def api_only
       @api_only ||= false
@@ -307,21 +338,33 @@ module Doorkeeper
     end
 
     def enforce_configured_scopes?
-      !!(defined?(@enforce_configured_scopes) && @enforce_configured_scopes)
+      option_set? :enforce_configured_scopes
     end
 
     def enable_application_owner?
-      !!(defined?(@enable_application_owner) && @enable_application_owner)
+      option_set? :enable_application_owner
     end
 
     def confirm_application_owner?
-      !!(defined?(@confirm_application_owner) && @confirm_application_owner)
+      option_set? :confirm_application_owner
     end
 
     def raise_on_errors?
       handle_auth_errors == :raise
     end
 
+    def hash_token_secrets?
+      option_set? :hash_token_secrets
+    end
+
+    def hash_application_secrets?
+      option_set? :hash_application_secrets
+    end
+
+    def fallback_to_plain_secrets?
+      option_set? :fallback_to_plain_secrets
+    end
+
     def default_scopes
       @default_scopes ||= OAuth::Scopes.new
     end
@@ -334,6 +377,10 @@ module Doorkeeper
       @scopes ||= default_scopes + optional_scopes
     end
 
+    def scopes_by_grant_type
+      @scopes_by_grant_type ||= {}
+    end
+
     def client_credentials_methods
       @client_credentials_methods ||= %i[from_basic from_params]
     end
@@ -352,6 +399,12 @@ module Doorkeeper
 
     private
 
+    # Helper to read boolearized configuration option
+    def option_set?(instance_key)
+      var = instance_variable_get("@#{instance_key}")
+      !!(defined?(var) && var)
+    end
+
     # Determines what values are acceptable for 'response_type' param in
     # authorization request endpoint, and return them as an array of strings.
     #
@@ -370,5 +423,19 @@ module Doorkeeper
       types << 'refresh_token' if refresh_token_enabled?
       types
     end
+
+    # Determine whether +reuse_access_token+ and +hash_token_secrets+
+    # have both been activated.
+    #
+    # In that case, disable reuse_access_token value and warn the user.
+    def validate_reuse_access_token_value
+      return unless hash_token_secrets? && reuse_access_token
+
+      ::Rails.logger.warn(
+        'You are configured both reuse_access_token AND hash_token_secrets. ' \
+        'This combination is unsupported. reuse_access_token will be disabled'
+      )
+      @reuse_access_token = false
+    end
   end
 end